Cyber Intelligence
Infrastructure Security · 20% of exam

L9. Bastion-less Access: Systems Manager Session Manager & PrivateLink

Video generating

Check back soon for the video lesson on Bastion-less Access: Systems Manager Session Manager & PrivateLink

Eliminate the bastion host and the open SSH port with Session Manager, and eliminate the public internet path to AWS APIs with Gateway and Interface VPC endpoints.

Removing the Bastion Host

The traditional pattern for reaching a private EC2 instance involved opening inbound SSH (port 22) or RDP (port 3389), usually through a bastion or jump host that itself had to be patched, monitored, and locked down. AWS Systems Manager Session Manager removes that requirement entirely. It provides browser-based or CLI shell access to EC2 instances, and even to on-premises servers registered as managed instances, without opening any inbound port and without a bastion host in the architecture at all.

Session Manager has three requirements: the SSM Agent must be running on the target instance, the instance needs an IAM role with the appropriate SSM permissions attached, and the instance needs outbound connectivity to the Systems Manager service, either directly or through a VPC endpoint if it has no internet route. Nothing has to listen for inbound connections; the instance reaches out to the SSM service instead.

Built-In Auditability

Every session can be configured to log its full command input and output to S3, to CloudWatch Logs, or both, giving security teams a complete transcript of what an engineer did during a session. Session Manager also integrates with CloudTrail, recording who started a session, on which instance, and when it ended. This combination eliminates the attack surface of an open SSH port while also improving the audit trail compared to traditional SSH key-based access, which typically leaves no record of the commands actually run.

Keeping AWS API Calls Off the Public Internet

VPC endpoints solve a related problem: reaching AWS service APIs (S3, DynamoDB, Systems Manager, and dozens of others) without routing that traffic over the public internet or through a NAT gateway.

There are two types:

Endpoint typeCostServices supportedHow it appears in the VPC
Gateway endpointFreeS3 and DynamoDB onlyA route table entry
Interface endpointBilled hourly + dataMost other AWS servicesAn ENI with a private IP
Interface endpoints are powered by AWS PrivateLink, and they show up as a network interface with a private IP address directly inside your subnet, meaning traffic to the service never leaves the AWS network. Gateway endpoints are older, free, and limited specifically to S3 and DynamoDB, working through a route table entry instead of an ENI.

PrivateLink is not limited to consuming AWS's own services. You can front your own application with a Network Load Balancer and publish it as an endpoint service, letting other VPCs, including ones in entirely different AWS accounts, connect to it privately through an Interface endpoint. None of that traffic touches the public internet, and unlike VPC peering, it does not require route table entries connecting the two VPCs to each other or CIDR ranges that avoid overlapping. Exam tip: If a question mentions eliminating inbound SSH/RDP while preserving auditability, think Session Manager. If it mentions eliminating the public internet path for AWS API calls, or exposing a service across accounts without peering, think VPC endpoints and PrivateLink.

Exam Focus Points
  • Session Manager gives shell access to EC2 instances without opening inbound SSH/RDP ports and without a bastion host, using the SSM Agent and an IAM role
  • Every Session Manager session can be logged in full (commands and output) to S3 and/or CloudWatch Logs, and session start/stop is recorded in CloudTrail
  • Gateway VPC endpoints are free and only support S3 and DynamoDB
  • Interface VPC endpoints (built on AWS PrivateLink) support most other AWS services and appear as a private ENI inside your VPC, avoiding the public internet and NAT gateways entirely
  • PrivateLink can also expose your own NLB-fronted service privately to other VPCs or AWS accounts without VPC peering and without traffic touching the public internet
Knowledge Check

1. A security team wants to eliminate inbound SSH access to a fleet of EC2 instances while still allowing engineers to get a shell for troubleshooting. What should they implement?

2. Which AWS services can be reached using a Gateway VPC endpoint?

3. A company wants to let a partner's VPC in a different AWS account privately call an internal API hosted behind a Network Load Balancer, without VPC peering or exposing it to the internet. What should they use?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.

Start Security Specialty prep free10-day free trial available